[Firehol-support] custom rule applied but resulting iptables are strange
Wojtek Swiatek
w at swtk.info
Mon Mar 28 20:04:30 BST 2016
Hello
I wanted to try a custom rule on my firehol setup:
router EVERYTHING
# LAN
server all accept inface lan0 outface int0 custom '-m time
--timestart 6:00 --timestop 19:00'
server all accept inface lan0 outface br1
server all accept inface lan0 outface br2
# Minecraft
server minecraft accept inface int0 outface br2
server minecraft accept inface lan0 outface br2
server all accept inface br2 outface int0
# openvpn container, only via openvpn
server openvpn accept inface br1 outface int0
# openvpn server
server all accept inface tun0 outface lan0
server all accept inface tun0 outface int0
The idea was that traffic from lan0 to int0 should be restricted to the day
The restriction did not work (it finally worked - it was my mistake, I
forgot that I should have used UTC which is 2 hours behind my location) and
I had a look at iptables -L, the result is quite surprising. Doesn't it
mean that all traffic is allowed, no matter the interface?
As an example the line
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED
is repeated several times, without any information on the interface. Is
this normal?
Where is the information about which interface filters which traffic?
Chain in_EVERYTHING (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "ftp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "irc"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "sip"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match "pptp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED TIME from 06:00:00 to 19:00:00 UTC helper match
"proto_gre"
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "ftp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "irc"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "sip"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "pptp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "proto_gre"
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "ftp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "irc"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "sip"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "pptp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "proto_gre"
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 multiport dports 9000,25565 ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 multiport dports 9000,25565 ctstate NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "ftp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "irc"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "sip"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "pptp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "proto_gre"
ACCEPT tcp -- anywhere anywhere tcp
spts:1024:65535 dpt:openvpn ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
spts:1024:65535 dpt:openvpn ctstate NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "ftp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "irc"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "sip"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "pptp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "proto_gre"
ACCEPT all -- anywhere anywhere ctstate
NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "ftp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "irc"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "sip"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "pptp"
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED helper match "proto_gre"
ACCEPT icmp -- anywhere anywhere ctstate
RELATED
ACCEPT tcp -- anywhere anywhere ctstate
RELATED tcp flags:FIN,SYN,RST,PSH,ACK,URG/RST,ACK
More information about the Firehol-support
mailing list